Re: Newbie IDS questions

From: Steve A. Tindle III (leonexis@nuleo.org)
Date: 01/12/02 

Date: Fri, 11 Jan 2002 21:46:22 -0800 (PST)
From: "Steve A. Tindle III" <leonexis@nuleo.org>
To: <MHrubes@wizmo.com>

SmoothWall.org has a really great linux Firewall/router/IDS that supports
up to three interfaces (RED outside, GREEN internal network, ORANGE DMZ).
We've been using it for a few months now and it works great. Its a complete
system, but the download is only 20mb for the ISO. Works on a P133 with
32mb ram with a good amount of speed. It also logs port scans and some
trojan activity. Go to http://www.smoothwall.org for more info.

> Hi all,
>
> I'm new to the IDS world. I understand what an IDS does, and why you
> need it, but I have some questions on the technical aspect of IDS. We
> are planning on implementing an IDS in the near future. The idea that
> has been proposed is to put the IDS in the path between connections,
> rather than connected in promiscuous mode. The reason they want to do
> this is so they can also run a blocking software, like portsentry, to
> block unwanted scans, etc.
>
> Is this even possible to do? The idea is to use a linux server running
> snort. This box would have two interfaces to route the traffic through
> it, scanning the signatures at the same time.
>
> Possible/not possible? If possible, good idea/bad idea? Opinions in
> general?
>
> Thanks in advance,
>
> Mike Hrubes 

-- 
Steve A. Tindle III
Webmaster, Nuleo.org
Lead Coder, Realms of Nuleo

"The box said, 'Reqires Windows 95
or better', so I installed LINUX"

Relevant Pages

  • RE: Bridge IDS
    ... interfaces to promiscuous mode or install Winpcap for Windows machines. ... For my home IDS I spanned it off and one of the two interfaces has no IP ... how about building a bridge IDS. ...
    (Focus-IDS)
  • Re: OLEDB connection and AD Windows
    ... If you configure the underlying OS to authenticate against an LDAP server, than normal IDS connections (not the ones on PAM enable DBSERVERALIAS) should be able to work transparently... ...
    (comp.databases.informix)
  • Re: Newbie IDS questions
    ... > up to three interfaces. ... It also logs port scans and some ... scans from upstream DNS servers you have to manually modify the Snort config ... >> I'm new to the IDS world. ...
    (Focus-IDS)
  • Re: SNORT or other IDS
    ... not locking up or denying connections but over ... IDS attached to network. ... indication of half open connecion attacks because the aol proxy ip's ... I have Linux IDS plugged in running snort with spade... ...
    (microsoft.public.security)
  • Re: Newbie IDS questions
    ... > the path between connections, ... IDS on a dual interface system. ... But they are not a replacement for a firewall. ...
    (Focus-IDS)